CTF Sedna from Viper (hackfest 2016)

Hi everyone, I did the first Vuln VM from hackfest 2016 not long ago and i want to try this one now. It’s the second one by @ViperBlackSkull and it is the second walkthrough for me so if you need more information you can reach me on twitter at @marghost. You can get the virtual machine HERE. So lets get started.

First of all let’s make a quick nmap and a nikto. i had already made those so i will just copy my note file. (Always open a notepad when you are hacking it is the best advice i can give to you)

Ok so here we see many things. First of all we have two web server, one samba server that can maybe be exploited, also a rpc server that may be used for unbound connection to the server and of course an ssh.

I tried first to find an exploit for the rpc server but i had no luck, metasploit had exploit to ddos or crash it, and other exploits required nfs. I turn myself to the web servers. The 80 one have a robot file that is no use. I skip to the 8080 and tried to poke around tomcat, need to be auth to use main exploit and the default username:password did not work. I tried to bruteforce the password with the tomcat_mgr_login auxiliary scan from metasploit and noting to be found.

So i put my attention into the 80 server there is noting interesting into the /files/ directory. The system and user directories are locked down… The readme of icon directory is noting but usefull. I found someting interesting into the license.txt the site use builderengine. A quick google search pointed out that i can exploit this to send a reverse php shell.

So first of all need to create the builderengine.php file that will send malicious code into the /files/ directory of the remote server.

When exploited, ruuuun to ssh and login as fast as you can. You are on the edge as dirty cow is unstable as FU** and can cause a kernel panic anytime. To make it stable you need to enter a line of code.

Ok now i need to find the two post exploit flags. My first reflex was to go and investigate the /files/users/ directory of the 80 server…
this was a dead end. Next ting to snoop in was the tomcat install that i was not able to login even if i tried to bruteforce the password.

so a little google search pointed me that tomcat passwords are inside ‘/etc/tomcat7/tomcat-users.xml’

Now it is time to login into the tomcat server. Noting to be found there.

I snooped a little more around. noting to see from running process (ps -aux | less).

No special cron was used. (/etc/crontab)

I found it!!! an user named crackmeforpoints is inside the user list (cut -d: -f1 /etc/passwd)
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::

so i will try to john my way to this password over night… almost done!

root@kali:~/Downloads# john ./crack.password.db</pre>
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status

Ok after a night John the crazy didn’t crack the password so it is a little more complex that I as expected. I got the flag and the job is done for me :). Have a nice day and I will send you in the next walkthrough.